[apparmor] [patch] Samba profile updates for ActiveDirectory / Kerberos

Seth Arnold seth.arnold at canonical.com
Tue Aug 22 19:58:32 UTC 2017 

On Tue, Aug 22, 2017 at 01:09:47PM +0200, Christian Boltz wrote:
> Hello,
> 
> the Samba package used by the INVIS server (based on openSUSE) needs
> some additional Samba permissions for the added ActiveDirectory /
> Kerberos support.

Is the sss/ms/initgroups change intentional? Should that go into
abstractions/nameservice instead?

Thanks

> 
> I propose this patch for 2.9, 2.10, 2.11 and trunk.
> 
> 
> [ samba.diff ]
> 
> === modified file ./profiles/apparmor.d/abstractions/samba
> --- profiles/apparmor.d/abstractions/samba      2017-07-16 21:43:30.714865518 +0200
> +++ profiles/apparmor.d/abstractions/samba      2017-08-20 12:17:51.090469752 +0200
> @@ -13,6 +13,7 @@
>  
>    /etc/samba/* r,
>    /usr/lib*/ldb/*.so mr,
> +  /usr/lib*/samba/ldb/*.so mr,
>    /usr/share/samba/*.dat r,
>    /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
>    /var/cache/samba/ w,
> === modified file ./profiles/apparmor.d/usr.sbin.smbd
> --- profiles/apparmor.d/usr.sbin.smbd   2016-05-08 14:04:55.559442000 +0200
> +++ profiles/apparmor.d/usr.sbin.smbd   2017-08-20 12:19:07.582053817 +0200
> @@ -41,6 +41,7 @@
>    /var/cache/samba/** rwk,
>    /var/{cache,lib}/samba/printing/printers.tdb mrw,
>    /var/lib/samba/** rwk,
> +  /var/lib/sss/mc/initgroups r,
>    /var/lib/sss/pubconf/kdcinfo.* r,
>    /{,var/}run/dbus/system_bus_socket rw,
>    /{,var/}run/samba/** rk,
> === modified file ./profiles/apparmor.d/usr.sbin.winbindd
> --- profiles/apparmor.d/usr.sbin.winbindd       2016-08-03 13:55:52.679521428 +0200
> +++ profiles/apparmor.d/usr.sbin.winbindd       2017-08-20 12:20:10.701713358 +0200
> @@ -20,6 +20,7 @@
>    @{PROC}/sys/kernel/core_pattern r,
>    /tmp/.winbindd/ w,
>    /tmp/krb5cc_* rwk,
> +  /usr/lib*/samba/gensec/krb*.so mr,
>    /usr/lib*/samba/idmap/*.so mr,
>    /usr/lib*/samba/nss_info/*.so mr,
>    /usr/lib*/samba/pdb/*.so mr,
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170822/df585e00/attachment.pgp>

More information about the AppArmor mailing list